BGP AS Path Prepending

BGP AS Path Prepending or BGP prepend is a common technique for incoming path manipulating. When we want to engineer the traffic coming from another BGP AS to our BGP AS, BGP AS prepending is one of the most common mechanisms. There are cases BGP AS Prepend doesn't work and shouldn't be used as well, and in this post, we will look at them too by using the below topology.

In the above topology, we have two BGP Autonomous Systems. AS 200 is Customer BGP AS, and AS 100 is Provider BGP AS. As a customer, AS 200 wants AS100 to send the traffic over the left path as a Primary path and the right path as a backup path as is depicted in the above topology.

BGP AS Path Prepend

When we want to have Primary and Backup Paths as it is depicted in the above topology. BGP AS Path Prepending technique is used to influence upstream BGP Autonomous Systems' decision. BGP Prepend means, adding our BGP AS to the AS-path multiple times. In the above topology, 10.0.10.0/24 network's BGP AS 200 is advertised with 3 AS prepend. By default when the prefix is advertised to EBGP neighbor, announcing AS adds its AS number one time. Thus, over the primary path in the above topology, 10.0.10.0/24 is announced just 1 time, and AS Path is shown as AS 200.

1 is already announced and an additional 3 AS Prepend, over the backup path in the above topology, a total of 4 times AS number is sent. And the expectation is, upstream BGP AS, AS 100 would do the BGP best-path selection decision based on AS Path attribute and it chooses a shorter AS Path link over the longer AS Path link, thus Customer's expectation can be achieved and the left path can be used a primary and right path can be used as a backup.

Where does BGP AS Path Prepending doesn't work?

What if upstream AS, AS 100 doesn't use AS Path attribute as the best path selection criteria but already increased its BGP Local Preference value over the right path. BGP Local Preference attribute is compared before the BGP As-path attribute, thus AS 100 would send the traffic over the right path which is expected as a backup by the Customer. So, your upstream Service Provider BGP policy and your BGP policy may not always be the same.

You may want them to influence the BGP best-path selection based on AS-path thus you try to do AS path prepend, but they might be using BGP Local preference as their best path selection decision. In this case, BGP communities are used. With the BGP community, the idea is the same. The customer wants to influence the BGP best-path selection decision of the upstream provider and uses the BGP Community attribute instead of the BGP AS-path attribute.

Why BGP AS Prepend can be dangerous?

With BGP Prepend, basically, we increased the number of BGP ASes in the AS-Path by adding our own AS number multiple times. We are telling the upstream connection that, don't prefer this link. Find another way to send the traffic to us. There are some attack types on the Internet. These are Sub-prefix Hijacks, Exact-Prefix Hijacks, some types of BGP Route Leaks, and so on. Prepending AS multiple times increases the Exact Prefix Hijack Attack chance a lot.

Because with this attack, the attacker wants to influence the traffic by announcing your own BGP AS number, claiming they are the real owner of the BGP AS, but their AS-path length is shorter, and the networks that they see the attacker is closer, send the traffic to the attacker networks.BGP AS Path prepending just helps the attacker to be successful. Another reason why we shouldn't use excessive BGP Prepend is, that many AS on the Internet filter excessive AS Path length announcements.